HNNEpisode181

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #181

Recorded July 17, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • We just released our 2018 Listener Survey; Please go to securityweekly.com/survey to help us continue to provide you with quality content that doesn't break the build.
    • Mike Thompson joins us to show you how the threat intelligence space is transforming and what techniques security professionals can apply to stay a step ahead of threat actors by mapping their infrastructure. Register now @ securityweekly.com/domaintools
    • Come to our Pool Cabana @ Black Hat and Def Con to pick up a free copy of "Cyber Hero Adventures". Here you will be able to get the comic book signed by Gary Berman.

    Security News

    1. FTC Issues Alert on Tech Support Scams | US-CERT - The Federal Trade Commission has released an alert on tech support scams. Scammers use pop-up messages, websites, emails, and phone calls to entice users to pay for fraudulent tech support services to repair problems that don’t exist. Users should not pay or give control of their devices to any stranger offering to fix problems.
    2. 21-Year-Old Woman Charged With Hacking Selena Gomez's Email Account - And here is the problem: According to LA Times, Atrach believed to have broken into Apple iCloud and Yahoo email accounts used by Gomez and her personal assistant, by using the publicly-available information to answer the singer's "secret questions." And just know if you do this and get caught: Susan Atrach of Ridgefield Park was charged Thursday with 11 felony counts—five counts of identity theft, five counts of accessing and using computer data to commit fraud or illegally obtain money, property or data, and one count of accessing computer data without permission.
    3. Can graphical passwords keep us secure online? | ZDNet - Instead of arranging arbitrary alphanumeric in a non-obvious -- and non-memorable -- string, start with a group of pictures and select some that tell a story that is meaningful and memorable to you. The story can be as simple as "I eat breakfast with coffee." So when you unlock your phone, or, hopefully, a website, you just choose from a group of graphical icons to tell your story. Today's larger screens could accommodate 12-20 icons. As icons are used, other icons could take their place, expanding the number of possible combinations. Full paper here: https://arxiv.org/pdf/1807.05843.pdf
    4. '007' code helps stop Spectre exploits before they exist - New research suggests that Spectre exploits could be detected: In this report, we propose oo7, a binary analysis framework to check and fix code snippets against potential vulnerability to Spectre attacks. Our solution employs control flow extraction, taint analysis and address analysis to detect tainted conditional branches and their ability to impact memory accesses.
    5. Notorious Hijack Factory Shunned from Web Krebs on Security - Bitcanal, a Portuguese Web hosting firm long accused of helping spammers hijack large swaths of dormant Internet address space over the years, was summarily kicked off the Internet this week after a half-dozen of the company’s bandwidth providers chose to sever ties with the company.
    6. Hackers are selling backdoors into PCs for just $10 | ZDNet - Yes, this is a thing: Cyber criminals are offering remote access to IT systems for just $10 via a dark web hacking store -- potentially enabling attackers to steal information, disrupt systems, deploy ransomware and more. The sales of backdoor access to compromised systems was uncovered by researchers at security company McAfee Labs looking into the sale of remote desktop protocol (RDP) access to hacked machines on underground forums -- some of which are selling access to tens of thousands of compromised systems.
    7. Stolen drone files sold on dark web - Sensitive documents about US military drones and manuals describing how to handle insurgents have been offered for sale on the dark web. Security researchers said some of the data had been stolen from a US Air Force captain's computer, reportedly using a vulnerability in a SOHO router. The information includes maintenance guides for MQ-9 Reaper drones and many training manuals for troops deployed outside the US.
    8. IoT search engine exposes passwords of over 30,000 vulnerable DVRs - Bitdefender BOX Blog - through this flaw that the vulnerable Dahua DVRs, which are often connected to CCTV camera systems, have spilt their login credentials in plaintext to publicly accessible IoT search engines, such as ZoomEye. It’s worth noting that the ZoomEye IoT search engine wasn’t trying to gather the passwords of vulnerable Dahua DVRs – it’s just cached what was returned to it when the DVRs’ ports were scanned. Anubhav reports that many of the vulnerable devices have weak passwords such as “admin123”. Almost 15,800 Dahua devices were using the password “admin”, and more than 600 were using possibly the worst password of all – “password”. Meanwhile, over 13,900 of the devices, for instance, have the (diabolically poor) password of “123456”.

    Expert Commentary:

    Sextortion Scam Uses Recipient’s Hacked Passwords

    Brian Krebs and a number of other blogs have written up a new use for password dumps by scammers. It’s worth spreading the word to family and friends not to fall for it.

    Basically, the bad guys decided to look up email address and password pairs gathered in data breaches to make their emails seem more credible. Imagine getting an email that says they’ve captured video of you watching porn online. The opening paragraph starts off with this.

    “I’m aware that <substitute password formerly used by recipient here> is your password,”

    “Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.”

    The email goes on to state that you’ve been very naughty and unless you pay a fee over $1000 (up to $2900 in one post I read), then they will send the video of you to all of your contacts. Panic ensues.

    As you may have noticed, the email makes no mention of which site the password they disclose was used on. The message reads like many of the scams that we receive, except for the idea that it includes a password that the victim actually used some where on the internet at some point in time. That bit of information adds a sense of validity to the message that it would not have otherwise. If the victim doesn’t have the background to pick up on things like this, then there is a greater chance of them freaking out and responding with payment.

    It’s pretty annoying, but kind of clever. The victim recognizes the password in the message as valid from somewhere. (Probably multiple sites.) This makes them feel like this could be legit and that they need to pay up or suffer the social repercussions of the actions reported in the email. And people are willing to pay to avoid being outed like this. I actually read a local news article where someone was pulled over by the police and they found a large amount of cash in the car. The cops initially thought it was drug related, but it turned out the person had fallen prey to another scam and was on his way to Western Union to send several thousand dollars to the crook.

    Brian Krebs noted that the people who reported this scam to him said that the password was valid, but was ten years old. It was likely changed in response to the breach that got it added to this scam. He also points out that this could just be the start of a new method to scamming people. Instead of just a password, they could include other personal information to make their messages appear legitimate.

    So spread the word to those you know. The mention of porn may make some folks uncomfortable, but so will shelling out a couple thousand dollars due to the threat of having all their friends and family told they watched porn and were videoed while doing so.



    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+